code的一组,两种认证方案窗体身份验证+ Windows验证:害取其轻 [英] One set of code, two authentication schemes Forms Auth + Windows Auth: The lesser of evils
问题描述
我们有一个目前需要使用两种认证方案进行访问的应用程序,窗体身份验证和Active Directory或NTLM / Windows验证。
We have an application that is currently required to be accessed using two authentication schemes, Forms Auth and Active Directory or NTLM / Windows Auth.
方式的应用程序现在,有指向不同的文件夹用同一套文件有两个IIS站点,一切除了web.config中是相同的。
The way the application is now, there are two IIS sites pointing to different folders with the same set of files, everything identical except the web.config.
在任何火焰我这是一种遗传性的应用程序,但尽管如此,一个我现在很负责。我们有机会做一些重构,我试图找出进行的最佳方式。
Before anyone flames me this was an inherited application, but nevertheless one I am now responsible for. We have an opportunity to do some refactoring and I'm trying to figure out the best way to proceed.
假设应用程序看台直NTLM身份验证的要求。你必须要能够与集成AD的提示来访问应用程序,允许内部网络上的员工没有在所有的手动登录即可访问该站点。
Let's say the requirements for straight NTLM authentication for the application stands. You have to be able to access the app with an integrated AD prompt, allowing the employees on the internal network to access the site without manually logging in at all.
现在假设同一应用程序也需要从组织外部的用户访问也是如此。使用窗体身份验证和成员资格提供程序。什么是配置此应用程序的最可怕的方式?
Now suppose the same application also needs to be accessible from users outside the organization as well. Using forms authentication and the Membership provider. What's the least horrible way to configure this application?
是否有IIS配置为使用一个名为以外的东西那么web.config中它的配置文件中的文件任何可能的方式?这可能会扼杀在萌芽状态这一权利在那里。
Is there any possible way to configure IIS to use a file named something other then web.config for it's config file? That could nip this in the bud right there.
在源代码控制我想要走的路是在一个项目中,一个共享项目中的所有源文件,并使用建造时间事件把自己复制到两个消费Web项目上的任一版本消费项目。然后我们就可以继续部署两个不同的文件夹中的应用程序,但在源至少控制共用的源文件将只在一个地方存在。这种方法的缺点是,我们会失去动态编译,这真的很烂。不过还好的话一吨重复。
In source control I'm thinking the way to go is to have all the source files in one project, a 'shared' project, and use build time events to copy themselves into the two consuming web projects on build of either of the consuming projects. Then we can continue to deploy the application in two different folders but at least in source control the common source files will exist in only one place. The downside of this is we would lose dynamic compilation, which really sucks. But better that then a ton of duplication.
我做了一些实验用的路由,但它好像你不能路由到应用程序的根目录,这将需要不同的定义不同的身份验证方案之外的文件,所以我不认为这工作。
I did some experimentation with routing but it seems as if you can't route to a file outside of the application's root, which would need to be different to define the different authentication schemes, so I don't think that would work.
任何想法,意见或想法大大AP preciated,
Any thoughts, feedback or ideas are greatly appreciated,
BD
推荐答案
您可以尝试在一个网站用一种混合模式身份验证。检查这篇文章:的http://www.pluralsight-training.net/community/blogs/craig/archive/2004/07/24/1699.aspx.
You can try one web site with kind of mixed mode authentication. Check this article: http://www.pluralsight-training.net/community/blogs/craig/archive/2004/07/24/1699.aspx.
我们的想法是在ASP.NET配置表单认证和既有匿名访问以及Windows身份验证标记IIS。所以每当服务器发送一个401,浏览器将提供Windows凭据,否则登录表单将显示。该文章作者提供了登录表单上的一个复选框,将发行401获得Windows凭据,然后使用他们发出身份验证票证。
The idea is to have Forms Authentication in ASP.NET configuration and have both anonymous access as well as windows authentication marked in IIS. So whenever server sends an 401, browser will supply windows credentials otherwise login form will be display. The article author has provided a checkbox on login form that would issue 401 to get windows credentials and then use them to issue the authentication ticket.
另一个变化(从用户体验的角度来看)是有一个默认的页面,将要求在IIS中集成Windows身份验证(没有匿名访问)。内部用户可以访问的网站,并通过这个默认页面得到验证,然后默认页面重定向到应用程序的主/主页。外部用户被要求使用登录页,做窗体身份验证,然后重定向到主页。
Another variation (from user experience perspective) is to have a default page that will request integrated windows authentication in IIS (no anonymous access). Internal users can visit site and get authenticated via this default page and then default page will redirect to application main/home page. External users are requested to use login page that does forms authentication and then redirect to main page.
这篇关于code的一组,两种认证方案窗体身份验证+ Windows验证:害取其轻的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
